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2018 was a landmark year for data protection. Оп 25 
May 2018, the long anticipated General Data Protection 
Regulation (GDPR) entered into application. In addition to 
updating the European Union’s data protection rules for the 
digital age, this Regulation established the European Data 
Protection Board (EDPB) to ensure consistent application of 
the new rules across the EEA. 


The EDPB is therefore a young EU body. Yet even in the first 
seven months of its existence, we have reached several 
milestones which we are now able to reflect upon. 


Our role is to ensure the harmonised enforcement of the 
GDPR across the EEA. To this end, we endorsed the 16 
GDPR related Guidelines of the Article 29 Working Party, 
we adopted four more Guidelines, 26 Opinions on Data 
Protection Impact Assessments carried out by the national 
Supervisory Authorities and held five plenary meetings 
addressing a range of topics, from the EU-Japan draft 
adequacy decision to electronic evidence and ePrivacy. 


The feedback we have received from stakeholders on the 
first year of work has been encouraging. Many people and 
companies are now calling for increased global alignment 
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on the processing of personal data. We believe that by 
coordinating a consistent approach to data protection, 
the EU is demonstrating that respect for individuals’ 
rights to privacy and data protection can go hand-in-hand 
with a flourishing economy, not least because it provides 
businesses with a clear framework and creates competitive 
advantages, such as improved customer loyalty and more 
efficient operations. 


Next year is set to be even busier. At the beginning of 2019, 
we adopted our working programmes for 2019-2020. The 
EDPB work programme aims to address the priority needs 
of all stakeholders, including EU legislators. Having already 
issued guidance on the interpretation of new provisions 
introduced by the GDPR, the EDPB will now turn its attention 
to specific items and technologies. 


In my view, with national Supervisory Authorities working 
together on an equal footing and the support of a dynamic 
Secretariat, the EDPB is well equipped for its mission of 
upholding a high level of data protection across the EEA. 
Looking ahead, | am confident that we will continue to lead 
by example in striving for transparency and cooperation in 
the EEA, and beyond. 


Andrea Jelinek 
Chair of the European Data Protection Board 
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About the European 
Data Protection Board 


The European Data Protection Board is an independent 


European body, established by the General Data Protection 


Regulation (GDPR), which contributes to the consistent 
application of data protection rules throughout the European 
Economic Area (EEA) and promotes cooperation between its 
data protection authorities. 


The EDPB aims to ensure the consistent application in the 
European Economic Area of the GDPR and of the European 
Law Enforcement Directive. 


The EDPB can adopt general guidance to further clarify 
European data protection laws, giving stakeholders - 
including individuals — a consistent interpretation of their 
rights and obligations and providing supervisory authorities 
with a benchmark for enforcing the GDPR. 


The EDPB is also empowered to issue opinions or decisions 


to guarantee the consistent application of the GDPR by the 
national Supervisory Authorities (‘Consistency Opinions’ 
or ‘Consistency Decisions’). The EDPB also advises the 
European Commission on any issue related to the protection 
of personal data and new proposed legislation in the 
European Union. 


The Board acts in accordance with its rules of procedure and 
guiding principles. 


The EDPB is composed of representatives of the national 
data protection authorities and the European Data Protection 
Supervisor (EDPS). The Supervisory Authorities of the EFTA 
EEA States (Iceland, Liechtenstein and Norway) are also 
members with regard to GDPR-related matters, although 
they do not hold the right to vote nor can they be elected as 
chair or deputy chair. The European Commission and — with 
regard to GDPR-related matters — the European Free Trade 





Association (EFTA) Surveillance Authority have the right to 
participate in the activities and meetings of the Board, but 
without voting rights. 


The EDPB has a Secretariat, which is provided by the EDPS. 
A Memorandum_of Understanding determines the terms 
of cooperation between the EDPB and the EDPS. This 
Memorandum was signed during the first plenary meeting of 
the European Data Protection Board on 25 May 2018. 
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2018 Setting up of the EDPB 
and the Secretariat — an overview 


The rules of procedure were adopted during the first 





plenary meeting of the European Data Protection Board, 
which took place on 25 May 2018. Several modifications 
were approved on 23 November 2018. 

To assist in performing its tasks, several expert 
subgroups were set up within the EDPB. In addition, the 
EDPB Secretariat was established to provide analytical, 


administrative and logistical support to the EDPB. 


3.1. EDPB’S ACTIVITIES 

Between 25 May and 31 December 2018, the EDPB held five 
plenary sessions. In addition, there were 36 subgroup 
meetings. 


During its first plenary meeting on 25 May 2018, the EDPB 
endorsed 16 Guidelines previously established by the 
Article 29 Working Party (WP29). During the remainder of 
2018, the EDPB adopted four more Guidelines that aim 


to clarify a range of provisions under the GDPR. These 
Guidelines addressed certification and the identification of 
certification criteria, derogations relating to international 
transfers, the territorial scope of the GDPR and the 
accreditation of certification bodies. 


To guarantee the consistent application of the GDPR in 
cases where a competent Supervisory Authority wants to 
adopt specific measures having cross-border implications, 
the EDPB issues Consistency Opinions. The competent 
Supervisory Authority has to take utmost account of the 
opinion. Between 25 May and 31 December 2018, 26 
Opinions on the national lists of processing operations 
subject to a Data Protection Impact Assessment (DPIA) were 
adopted by the EDPB. The purpose of the exercise was to 
ensure consistency across all national lists. 


The EDPB also acts as a dispute resolution body and 
issues binding decisions. From 25 May to 31 December 





2018, however, no dispute resolutions were initiated. This 
suggests that, to date, Supervisory Authorities have been 
able to reach consensus on all current cross border cases. 


The EDPB advises the European Commission on any 
issue related to the protection of personal data, including 
assessments of the standard of data protection in third 
countries or international organisations. In 2018, the EDPB 
issued two such Opinions, at the request of the Commission: 
one on electronic evidence (e-Evidence) and one on the 
EU-Japan draft adequacy decision. On its own initiative, the 
EDPB also adopted a statement on economic concentration. 


In 2018, the EDPB also adopted two letters, the first 
providing guidance to the Internet Corporation for Assigned 
Names and Numbers (ICANN) on how to develop a GDPR- 
compliant model for access to personal data processed in 
the context of their WHOIS system and the second relating 
to the revised Payments Services Directive (PSD2 Directive). 


3.2. SUPERVISORY AUTHORITIES’ ACTIVITIES 

Under the GDPR, the Supervisory Authorities have a duty 
to cooperate in order to ensure consistent application of 
the Regulation on cases with a cross-border component. 
Different cooperation procedures exist such as joint 
operations, mutual assistance, or a specific cooperation 
procedure labelled “One-Stop-Shop”. 


Between 25 May and 31 December 2018, 255 cases with a 
cross-border component were registered in the IMI system. 
Most of the cases derived from complaints by individuals 
(176 cases). The rest (79 cases) originated from other 
sources. The three main topics of these cases related to data 
subjects’ rights, consumer rights, and data breaches. 


In 2018, 43 One-Stop-Shop procedures were initiated 
by SAs from 14 different EEA countries. At the end of the 
year, the procedures were at different stages: 20 were at 
the informal consultation level, 20 were at draft decision 
level and two were final decisions. These first One-Stop- 
Shop final decisions related to the exercise of the rights of 
individuals, the appropriate legal basis for data processing 
and data breach notifications. 


The mutual assistance procedure allows for Supervisory 
Authorities to ask for information from other SAs, but also 
to request other measures for effective cooperation. In 
the period between 25 May and 31 December 2018, 397 
mutual assistance requests, both formal and informal, were 
triggered. 89% of the requests were replied to within 23 
days. 


No joint operations were initiated in 2018. 


In 2018, the Supervisory Authorities of the 31 EEA countries 
reported over a hundred thousand cases at the national 
level. The majority of cases were either related to complaints 
or were initiated on the basis of data breach notifications 
from controllers. 


3.3. CONSULTATIONS 

The EDPB organises public consultations on its guidelines 
to gather the views and concerns of all interested 
stakeholders and citizens. In 2018, the EDPB issued three 
consultations on its draft Guidelines, respectively on 
certification, on the territorial scope of the GDPR and on the 
accreditation of certification bodies. 


As part of the annual review of the EDPB activities — 
established by Article 71 of the GDPR – a stakeholder 
survey was conducted, focusing on 20 GDPR guidelines. 
Respondents were part of trade associations from Europe, 
North-America and Asia-Pacific. 


Sixty-five percent of stakeholders considered the Guidelines 
to be useful. While 45 percent considered them to be 
sufficiently pragmatic and operational for their needs, 23 
percent called for improvement. For instance, shorter and 
more pragmatic guidance was recommended. 


The majority of feedback concerning the consulting and 
drafting process of the Guidelines was positive or neutral. 
Some stakeholders encouraged the EDPB to increase 
opportunities to be involved and cooperate in the drafting 
of Guidelines. 
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Main objectives for 2019 


In 2019 and 2020, the EDPB aims to focus on data subjects’ 
rights, the concept of the controller and processor and 
legitimate interest in the guidance that it provides. The 
EDPB will continue to advise the Commission on matters 
such as cross-border data access requests for e-Evidence, 
the revision or introduction of adequacy decisions for data 
transfers to third countries and any possible revision of the 


EU-Canada Passenger Name Record (PNR) agreement. 


In 2019, the EDPB will continue its mission by deepening 
existing stakeholder relationships and developing new ones 
with relevant parties, while also continuing to participate in 
relevant conferences and maintaining a strong social media 
presence. 
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Contact details 


Postal address 
Rue Wiertz 60, B-1047 Brussels 


Office address 
Rue Montoyer 30, B-1000 Brussels 


Email 
edpb@edpb.europa.eu 
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edpb.europa.eu 
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